No wonder why more and more people are concerned about their security and privacy. To some extent, the internet users become more conscious about online safety, addressing security experts and independent portals, like antivirus-review.com. Therefore, they did not ignore Zoom security holes but began to discuss them actively.
What vulnerabilities does Zoom service have, and what are the alternatives?
Data Transfer to Facebook
At the end of March, the news broke that the users’ data of the iOS Zoom app is transmitted to Facebook, even if the user does not have an account in the social network. Zoom provides the information to Facebook, mentioning the phone model, time zone, city, provider, and unique advertising ID of the device. All of this can be used to target ads.
Consequently, Zoom provided an update and announced that its developers removed the inserted code, responsible for sharing details with Facebook. Two days later, however, the company became a defendant in a privacy claim that was filed in California court.
Weak Video Enciphering
Then, in March, the Intercept edition reported that Zoom does not utilize the end-to-end enciphering (E2E) for video and audio, which is considered the most protected on the Internet. A similar encoding method is used in Apple’s FaceTime video call service.
Zoom’s website and white paper (customer information) indicated that this type of encryption applies, but in practice, Zoom uses TLS encryption. This encryption type is different in its operation: TLS encodes data not between the user and user, but between the server and the user, while the company itself can view the video and audio content which was not encrypted. All in all, technically, Zoom can spy on users and can potentially transfer files to law enforcement on request.
In response to the publication, Zoom explained that the definition of E2E encryption possesses another meaning in its marketing materials. In fact, only Zoom text chats have E2E protection. Zoom also said it did not have access to session keys and could not decrypt messages exchanged by users.
Unknown Security “Holes”
In mid-March, Vice reported that attackers were selling data on two previously unknown and unsolved vulnerabilities in Zoom, which allow calls to be monitored. According to the founder of Netragard company, Adriel Desautels, one of the exploits (vulnerabilities) is for the Windows operating system, while another is for macOS.
He doubts that they could be used for a long time because when zero-day vulnerabilities begin to exploit, they are quickly becoming known and closed. According to one of the interviewed, the vulnerability for Windows is “ideal for industrial espionage,” and the seller requested $500 000 for it. Zoom later reported that it had not found confirmation of this information.
In January, Check Point, a cybersecurity company, reported another Zoom defect that allowed you to wiretap calls, access all audio, video, and user documents they exchanged in chat rooms. Typically, Zoom conference identification numbers consist of 9-11 characters. The hacker could previously create a long list of identifiers, and then, using special programs, quickly check whether the corresponding Zoom conference identifier is valid. If the ID is valid and the conference was not password protected, the attacker could access it. Check Point estimates that it was possible to match the correct call ID in 4% of cases.
Zoom has already fixed this problem: the identifier has been replaced with “more reliable cryptological,” made it mandatory to use a password to connect. After several attempts to connect to the session, the hacker device will be “locked” by the platform.
The ubiquitous use of Zoom has attracted intruders who connect to conferences and begin displaying videos of violence or pornography. The phenomenon was named Zoombombing. No purpose but to disrupt meetings, internet trolls are pursued. To connect to a conference, they search for links that users themselves post in the public domain.
Code Storage in China
The encryption keys used by Zoom were sometimes sent to Chinese servers. Located in Silicon Valley, Zoom owns three Chinese “daughters” that employ a minimum of 700 software developers. So Zoom could theoretically come under pressure from Chinese authorities.
After the disclosure of this information, Zoom, starting on April 18, provided an opportunity for paid account owners to choose the region through which to send encryption keys.
Incomplete Video Removal
The Cnet.com portal reported about the vulnerability, which allowed looking for the kept videos in Zoom, using the references of the general access containing a part of the URL address, for example, the name of the company or organization. The video can then be downloaded and watched. Besides, it was found that deleted videos remained available on the cloud for several hours after deletion.
Zoom released updates that should fix the flaw.
What Does Zoom Say?
Initially, the video conferencing service was focused primarily on corporate clients: large institutions with full IT support. Among them are the largest financial, telecommunication, state organizations, etc.
Zoom was not ready for the fact that in just a few weeks, almost every person in the world will be forced to work, study, communicate from home. If at the end of December 2019 Zoom was used by 10 million people, in March 2020 – more than 200 million people began to use it.
Zoom promises to pay more attention to cybersecurity. The company has already hired Luta Security. The head of the organization, Katie Moussouris, is famous for collaborating with Microsoft, Symantec, and Pentagon. Also, Zoom is ready to pay everyone for the vulnerabilities found. The company has launched a bug bounty program that will pay rewards to cyber specialists who will find security gaps and notify Zoom.